Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/alchemy-core-workflow-a/Gen Agent Trust Hub

alchemy-core-workflow-a

Pass

Audited by Gen Agent Trust Hub on Apr 13, 2026

Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the alchemy-sdk Node.js package, which is the official client library for Alchemy's blockchain APIs.
  • [COMMAND_EXECUTION]: The skill utilizes Bash(npm:*) as an allowed tool to facilitate the installation of required packages.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted data from the blockchain. Ingestion points: Untrusted data enters via Alchemy SDK responses in src/portfolio/fetcher.ts, src/portfolio/transactions.ts, and src/portfolio/multi-chain.ts. Boundary markers: No boundary markers or instructions to ignore embedded commands are included in the code snippets. Capability inventory: The agent environment has access to Read, Write, Edit, Bash(npm:*), and Grep. Sanitization: No explicit sanitization or escaping of the retrieved blockchain metadata is performed.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 13, 2026, 09:30 PM